VLANs and Local Boundaries

VLANs as Logical LANs

A VLAN (Virtual Local Area Network) is a logical Layer 2 network created in switch software. Devices in the same VLAN behave as if cabled to the same physical Ethernet segment, even when they sit on different switches across a building. Devices in different VLANs are isolated at Layer 2. This lets one physical switch host several independent segments — office PCs, voice phones, guest Wi-Fi, printers, security cameras, and management — without buying a switch per group.

The single most important property: a VLAN is a broadcast domain. Broadcast traffic — ARP requests, DHCP Discover messages, and similar — stays inside the VLAN. It does not cross into another VLAN unless a router or Layer 3 switch is configured to forward or relay it. If a workstation lands in the wrong VLAN, it may get no DHCP lease, no usable default gateway, and no access to local resources that work fine for the user at the next desk.

One VLAN, one subnet

VLANs and IP subnets are different concepts, but in practice they line up one-to-one:

To move traffic between VLAN 10 and VLAN 20, a router, Layer 3 switch, or firewall must route between the subnets — a setup often called inter-VLAN routing. Without that routing, a host in VLAN 10 cannot reach a host in VLAN 20 even though both plug into the same switch.

Access Ports, Trunk Ports, and 802.1Q

Switch ports are configured as one of two main types.

• An access port belongs to a single VLAN and connects an endpoint: a PC, printer, or simple access point. Frames on an access port are untagged — the host has no idea a VLAN exists.
• A trunk port carries traffic for many VLANs over one link, usually switch-to-switch, switch-to-router, or switch-to-firewall. To keep VLANs separate on a shared link, the switch inserts an IEEE 802.1Q tag.

The 802.1Q tag is a 4-byte field added to the Ethernet frame. Its VLAN ID field is 12 bits, so valid VLAN IDs run 1 to 4094. One VLAN on a trunk is untagged and called the native VLAN (default VLAN 1). A voice VLAN lets an IP phone and the PC plugged behind it ride one cable on two VLANs at once — phone traffic tagged, PC traffic untagged.

Mapping symptoms to the boundary

VLAN failures look like address or service failures to the user. Compare what the device has against what it should have:

• User in the office gets a guest-subnet IP -> the access port or wireless SSID is mapped to the wrong VLAN.
• The phone works but the PC behind it does not -> voice/data VLAN or cabling issue.
• Many users on one switch lose DHCP while others are fine -> an uplink trunk or its allowed-VLAN list likely changed.

What to put in the ticket

Record the wall jack or switch port, the client IP and gateway, whether DHCP or static addressing is used, the SSID if wireless, and whether nearby devices are affected.

Common traps

• Treating VLAN and subnet as the same thing — they correlate but are not identical.
• Forgetting that same-switch devices in different VLANs still need a router to talk.
• A native VLAN mismatch between two trunked switches, which can leak or drop traffic.
• Assuming a trunk problem affects one user; it can break many users across several VLANs at once.

Why VLANs Exist, and How They Fail

Before VLANs, separating two groups of users meant buying two physical switches and never cabling them together. VLANs collapse that into one switch with software boundaries, delivering four concrete benefits a CCST candidate should be able to name.

• Broadcast control. A single flat network with hundreds of hosts floods every broadcast to everyone, wasting bandwidth and CPU. Splitting into VLANs shrinks each broadcast domain.
• Security and segmentation. Guests, cameras, payment terminals, and staff can be isolated so a compromised guest device cannot directly reach servers without crossing a router and its firewall rules.
• Organization. Devices are grouped by function, not by physical location, so a marketing user on the third floor and one in the basement share VLAN 10.
• Flexibility. Moving a user to a new group is a port-VLAN change, not a recabling job.

VLAN 1 and the management trap

VLAN 1 is the default on Cisco switches and the default native VLAN on trunks. Leaving user traffic and switch management on VLAN 1 is a common weak point; engineers usually move management to a dedicated VLAN (e.g., 99). A CCST tech should recognize that 'everything works except I cannot manage the switch' can be a management-VLAN reachability issue.

A diagnosis table you can apply

Worked scenario

A new hire in VLAN 10 (192.168.10.0/24) reports no network. You see the laptop holds 192.168.20.7 — a guest-subnet address. Same-subnet neighbors on VLAN 10 are fine. The address from the wrong subnet tells you the port was re-patched or reconfigured into VLAN 20, so the laptop hit the guest DHCP scope. The fix is a port-VLAN correction (an engineer task); your job is to document the jack, port, observed IP, and expected VLAN, then escalate. Notice you diagnosed a Layer 2 boundary purely from a Layer 3 symptom — that mapping is the skill the exam rewards.